Beacon™ is the first dedicated policy-enforcing secure remote access solution for mission-critical OT environments. Beacon is purpose-built for manufacturing, utilities, oil and gas, as compared to today’s security options which include enterprise VPN or software-defined networking tools built for non-industrial enterprise environments. Beacon is now available for subscription-based purchase online.
A flexible, OT-specific, secure private access solution for controlled access to designated OT assets and services, easy user management, and both capex and opex purchasing options.
Beacon is a cloud-hosted, software-defined network remote access product with support for encrypted microtunnels, two-factor authentication, Microsoft Active Directory users and groups, and specific endpoint access capabilities oriented around OT network security requirements.
Beacon provides content-based in-session policy enforcement for certain defined rulesets, and the available list of policies will expand automatically with no user intervention required.
|Beacon||Software-defined networking tools||VPNs|
|Session Origination||Outbound only via SSL from customer to policy engine||Inbound- or outbound, depending on product/vendor||Inbound through/to perimeter firewalls|
|Session Types||Single-user to single-service permissions||User-to-network permission defaults||Network-to-network permission defaults|
|Local-user or AD users/groups|
|Local-user or AD users/groups||Yes||Yes||Yes|
|Native OT protocol support|
|Native OT protocol support||Yes, including deep inspection||Port-level only||n/a|
|Native content-based policy enforcement|
|Native content-based policy enforcement||Yes||No||n/a|
Beacon is a competitive alternative to both generic enterprise VPN products and software-defined networking tools. It offers native policy controls for OT protocols and supports single pane of glass administration via a customer’s private cloud instance of the management portal.
|No SQL Injection1|
|No SQL Injection1||X|
Figure 1: Beacon Services View
Figure 2: Beacon Client Software
Once you place an order or submit a purchase order to Bayshore, our team will begin the provisioning process for your dedicated Beacon Cloud. You’ll be given administrative credentials when it’s ready; while that’s in progress, you can install the Beacon Endpoint Gateway software we’ll provide to you.
Your next step is to create users and services. Users can be locally authenticated within your Beacon Cloud, or you can provide access to your AD server via LDAP. AD server setup is useful because it uses the same proxy model as any other Beacon service, so it’s good practice for learning how to use the web interface.
Finally you can provide the remote access client to the external users. It will be pre-configured to point to your Beacon Cloud. They can install it and, assuming their credentials are already valid, immediately gain access to any services for which their accounts are enabled.
Q: How is Beacon different from a VPN?
A: Beacon controls access by protocol, port, and user. Before any access is permitted, Beacon requires a service on an endpoint to have been exposed (defining both the target port and protocol/service) and a user has to have been given explicit permission to access that endpoint/service combination.
Q: What is the Beacon transport architecture?
A: The Beacon Endpoint Gateway initiates a standard SSL tunnel from within your network to your provisioned cloud instance of the Beacon management interface. That tunnel is persistent by default, and only ever initiated from within your network to the external destination. Authorized remote users initiate a connection request from their locations via the Beacon client, which connects to your dedicated cloud instance, authenticates the user, and then maps their attempt connection to the known list of authorized endpoint/service destinations. If those checks all succeed, the cloud instance of the Beacon software proxies the remote user’s session into the Beacon Endpoint Gateway which, in turn, proxies it again to the actual target endpoint.
Q: Does Beacon support AD integration via LDAP?
A: Yes. Beacon can be configured to validate user and group credentials via your company’s AD server. To use this feature, the AD server is exposed to your Beacon cloud instance using a standard Beacon tunnel, and the LDAP queries are submitted during each user authentication action.
Q: Does Beacon support 2FA?
A: Yes. Beacon requests a mobile number for each user and uses SMS to submit an authorization code to that number each time the user authenticates themselves to the system.
Q: Is Beacon available in an appliance format I can deploy onsite?
A: Not yet. Our intention is to start with the cloud hosted version of Beacon and to make a purely on-premise version available in 2019.
Q: Can I use Beacon to enable persistent site-to-site OT protocol tunnels?
A: Yes. Contact us to discuss this use case in more detail.
Q: Can I get a trial or demo of Beacon?
A: You can subscribe for one month at the minimum subscription level, with no further obligation.
Q: When will Beacon be available?
A: Beacon subscriptions are available now.